Skip to content
DW&P Dr. Werner and Partners

The Concept of 'Enhanced Due Diligence' in Compliance

Susan MeierSusan MeierUpdated 10 min read.md
Table of contents
  1. 01CDD Requirements
  2. 02Enhanced Due Diligence (EDD)
  3. 03Risk-Based Approach (RBA) and EDD Measures
  4. 04The Extent of EDD Measures
  5. 05Risk Triggers Requiring EDD
  6. 06EDD Measures in Practice
  7. 07Non-Reputable Jurisdictions
  8. 08Senior Management Involvement
  9. 09Conclusion

In a report published by the UK Financial Conduct Authority (FCA) on 21 May 2021 regarding "common control failings identified in anti-money laundering frameworks," particular concern was raised regarding Customer Due Diligence (CDD), and specifically "Enhanced Due Diligence" (EDD).

The report highlighted, among other things, that "some firms’ approach to due diligence measures was inadequate and did not always mitigate the risks posed by [specific] customers." In this context, the report recommended that "firms must ensure they apply EDD measures in all high-risk situations and can clearly demonstrate what work has been undertaken."

The purpose of this article is to examine the principle of Enhanced Due Diligence while understanding its day-to-day use and application – particularly when onboarding and/or monitoring clients.

CDD Requirements

The Maltese Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR / S.L. 373.01) mandate that "customer due diligence measures [1] shall be applied to all customers when:

  1. establishing a business relationship,
  2. carrying out an occasional transaction, and/or
  3. the subject person has knowledge or suspicion of proceeds of criminal activity, money laundering, or the funding of terrorism..." [2]

Furthermore, under Regulation 7(1), these CDD measures must consist of:

  • The identification and verification of the customer.
  • *The identification and verification of the beneficial owner(s).*
  • Obtaining information on the purpose and intended nature of the business relationship to allow for the creation of a business/risk profile, and
  • Conducting ongoing monitoring of the business relationship.

The four measures above form the foundation of any sound compliance program for combating financial crime. In practice, subject persons typically formulate and define a standard level of CDD measures for normal-risk clients (taking sector-specific guidelines into account), while Simplified Due Diligence (SDD) measures may apply to clients presenting a lower risk of money laundering and terrorist financing (ML/TF).

Enhanced Due Diligence (EDD)

The online AML portal "ComplyAdvantage" defines EDD as "the process of collecting data and information to verify a customer's identity, where additional information is required to mitigate the risk associated with that customer." Simply put: in situations where due diligence presents a higher ML/TF risk, more information and documentation should be obtained. (This requirement applies to both occasional transactions and business relationships).

The Wolfsberg Group also provides an interesting definition: EDD refers to "additional information collected as part of the customer due diligence process, or enhanced precautionary measures, such as ongoing activity monitoring, applied on a risk-sensitive basis in any situation that by its nature may present a higher ML/TF risk." The emphasis on ongoing monitoring is crucial from Wolfsberg's perspective, especially as their recommendations primarily target credit/financial institutions.

One of the best-known definitions distinguishing between CDD and EDD comes from the New Zealand Financial Markets Authority (FMA). In their Enhanced Customer Due Diligence Guidelines, they define EDD as involving "two core requirements beyond standard CDD." These are: (i) the introduction of enhanced or more sophisticated measures to obtain and verify customer data and beneficial ownership structures – corresponding to the specific risk level – and (ii) the obligation to obtain and verify information on the Source of Wealth and Source of Funds – taking reasonable steps appropriate to the risk.

This dual reasoning is echoed by the UK's Joint Money Laundering Steering Group (JMLSG) (Part I Guidance Notes of 2020). They state that obtaining comprehensive CDD data/documents on file (i) helps formulate the risk assessment process and effectively manage ML/TF risks, and (ii) provides a baseline for monitoring customer activities and transactions, thereby increasing the likelihood of detecting if products and services are being used for ML/TF.

All the interpretations above (however heterogeneous and interesting they may be) can be construed to mean that, as far as EDD is concerned:

  • Additional data collection and information gathering is a must;
  • Such data collection should be required as part of the philosophy of a person seeking "more cautious/sophisticated measures";
  • All findings will assist practitioners in conducting more robust risk assessments.

Risk-Based Approach (RBA) and EDD Measures

The FATF Guidance for a Risk-Based Approach for TCSPs states that the general principle of a risk-based approach (which itself forms the cornerstone of AML/CFT guidelines and legislation) is that where "higher risks exist, enhanced measures should be taken to manage and mitigate those risks." Furthermore, the "range, degree, and frequency or intensity of preventive measures and controls conducted should be increased in higher-risk scenarios." Therefore, knowing how and when to apply EDD is fundamental.

The Extent of EDD Measures

The JMLSG also points out that, in practice under a risk-based approach, it is not appropriate for every service provider to know their customers equally well, regardless of the purpose, use, or value of the product/service offered. Information requirements must be proportionate, appropriate, and justifiable to the customer. It makes no sense to request information simply for the sake of it (especially if a customer cannot provide it); the request should be proportionate and appropriate to the customer with whom the subject person intends to establish a business relationship or conduct an occasional transaction.

Risk Triggers Requiring EDD

Having defined EDD (and established its scope and purpose), it is worth looking at scenarios where EDD is legally required. Interestingly, the FMA (New Zealand) mandates that EDD measures should be considered whenever there is a "material change" – i.e., an event, activity, or situation that (e.g., usually during monitoring) could alter the level of ML/TF risk. Such a material change might exist if the customer requests new or higher-risk products, if a trust is set up, or if the volume/scope of the customer's activities or transactions increases beyond what would reasonably be expected.

From a purely local (Maltese) perspective, Regulation 11 states that EDD shall be applied (introduced) "in addition" to the measures provided in Regulation 7 of the PMLFTR:

  • In relation to activities where the FIAU identifies a high risk of money laundering or terrorist financing (primarily according to the National Risk Assessment);
  • Whenever the subject person determines, through a risk assessment, that either the occasional transaction or the business relationship presents a high ML/TF risk;
  • In the context of correspondent relationships with institutions from non-EU member states;
  • When dealing with Politically Exposed Persons (PEPs);
  • When analyzing complex, large transactions that follow an unusual pattern or have no apparent economic/lawful purpose; and
  • When dealing with non-reputable jurisdictions.

EDD Measures in Practice

While obtaining brief descriptions of business activity may be acceptable in a low-risk scenario (provided the nature and purpose are understood), additional information must be requested in "high-risk" cases. This is typically done by substantiating findings with documentation and (where applicable) additional measures as set out in the FIAU Implementing Procedures. These may include conducting additional research (e.g., adverse media checks) and/or requesting information on the Source of Funds and Source of Wealth (to ensure they are not proceeds of crime).

The FCA's "Financial Crime Guide" advises, as part of its EDD recommendations, gaining a "better understanding of the customer's/firm's reputation and/or their role in public life and assessing how this affects the risk level." The New Zealand FMA also recommends distinguishing between a customer who has a higher risk profile but is not involved in ML/TF, and a customer whose transactions or activities might be linked to ML/TF. Therefore, all situations should be assessed on a case-by-case basis, taking existing legislation into account.

The FIAU Implementing Procedures are indeed very risk-averse when it comes to PEPs. Regardless of whether a business relationship presents a low risk or not, whenever a subject person deals with a PEP, a family member, or a close associate of a PEP, EDD measures must be applied. According to the PMLFTR, these must also include: [1] 1) Senior management approval, 2) Taking adequate measures to establish SoF and SoW, and 3) Enhanced monitoring of such relationships.

While it may be permissible in low-risk situations to verify the identity of the customer/beneficial owner during the establishment of the relationship (depending on policies and procedures), this is an absolute "no-go" for high-risk business relationships. In high-risk scenarios, all identification and verification requirements should be met before formal engagement.

In situations presenting a greater risk of ML/TF, requesting information on the customer's residency status, employment, salary, and other sources of income/wealth (e.g., inheritance, sale of property, or disposal of assets) is critical in deciding whether to accept the customer. EDD measures might also include requiring the first payment to be made via an account held in the customer's/firm's name at a credit institution in the EU/EEA.

The UK FCA mandates that when applying EDD measures, it is also crucial to establish how the customer/entity acquired their wealth to ensure it is legitimate. Consequently, identifying (and proving) the Source of Wealth is perhaps the biggest challenge for all subject persons – especially when dealing with complex structures or beneficial owners who are High-Net-Worth Individuals (HNWI). However, as the JMLSG highlights, "the availability and use of financial information is important to reduce the additional costs of collecting customer due diligence information – and can help to better understand the risk associated with the business relationship."

While in low-risk scenarios, ongoing monitoring might be conducted every two or three years, in high-risk situations, enhanced monitoring of the business relationship must be considered (either annually or semi-annually), depending on the initial Customer Risk Assessment (CRA). Another EDD measure in this context is increasing the frequency and timing of controls (and/or selecting transaction patterns based on risk triggers) – particularly when the obligation to conduct transaction monitoring arises.

While "low-risk scenarios" might fall well within a subject person's risk appetite, this is certainly not true for all "high-risk situations." Essentially, much depends on the risk tolerance and customer acceptance policy of the subject person. Although not directly linked to EDD, for a portfolio of clients classified as "high risk," it would be advisable to either conduct a de-risking exercise or introduce a cap/threshold system to mitigate the overall concentration risk posed by high-risk clients.

Non-Reputable Jurisdictions

EDD measures must also be applied when the subject person deals with natural/legal persons based in a non-reputable jurisdiction. While EU/EEA countries impose fewer obligations on the subject person (particularly regarding risk), additional information is certainly required for connections to non-reputable jurisdictions. This specifically concerns the Source of Funds, the accounts through which funds flow, and the degree and extent of connections with the non-reputable country (does this relate only to nationality and/or Source of Wealth, or do business activities also take place in that country?), and/or requesting further documentation on nature and purpose.

Senior Management Involvement

In practice, it is also advisable not to rely exclusively on the subject person's policies and procedures, but to discuss risk mitigation techniques with colleagues or senior management – especially since every business case typically presents its own unique ML/TF threats. For this reason, senior management approval is crucial in this context, as the Board not only "owns" the risk but should also foster a culture of compliance.

This extends to the point where the FIAU Implementing Procedures (Part I) also mandate that the subject person should have a clear policy for escalating decisions on accepting or continuing high-risk business relationships to senior management.

Conclusion

While all practitioners understand the importance of the term "EDD," its application and methodology remain largely at the discretion of the subject person. Much will depend on the AML/CFT Manual (P&Ps), which should contain a comprehensive description of how EDD measures are to be applied on a case-by-case basis. However, this should not distract from the fact that compliance officers must take a proactive approach and apply EDD whenever a situation presents a higher ML/TF risk.

To this end, relying solely on procedures may not be enough. Instinct and knowledge (acquired through ongoing research and training) will also prove decisive in the fight against money laundering and terrorist financing.

Disclaimer: The above article is based solely on independent research by Dr. Werner & Partners and does not constitute legal advice. If you would like to meet with one of our representatives for further information, please book an appointment with us.

[1] Conducting Customer Due Diligence is of paramount importance, particularly in the context of customer identification, risk management, customer acceptance, and monitoring – four key elements of a sound KYC program, as described in the Basel Committee paper of October 2001.

[2] Regulation 7(5)(a-c) of the PMLFTR

[3] According to Regulation 11(5)

Susan Meier

About the author

Susan Meier

Client Relations

Susan Meier looks after clients in the Client Relations department, ensuring that enquiries are routed quickly and reliably to the right specialist teams.

Your situation deserves a personal assessment

In a free 30-minute call, our senior advisers will review your options. Confidential and without obligation.

Book a consultation

Read more

More articles

Company Formation

4 Reasons Not to Form a Malta Limited in 2026

9 Min.

Company Formation

Setting Up a Malta Limited Company in 2026: The Complete Guide

12 Min.

Company Formation

The Italy-Malta Solution: Combine La Dolce Vita with 5% Tax

7 Min.
All articles
CSP Licensed Badge

Corporate Services at DW&P Dr. Werner & Partners are provided by DW&P Services Ltd. (C 103208) which is regulated by the MFSA and is licensed under Authorised Person ID: DSER-23577 to carry out the activities of a Class C CSP in terms of the Company Services Providers Act (Cap. 529 of the Laws of Malta).

CallFree Consultation